By Staff Writer.
Cyber-attackers are exploiting a remote code execution (RCE) vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) that potentially allows the attacker to install programs, view or change data, or create new accounts in line with the victim’s user permissions.
Microsoft disclosed the vulnerability, tagged “Follina,” earlier this week. At the time of publication, no patch is available. The name comes from the zero-day code referencing the area code of Follina, Italy.
“The RCE appears to have been exploited as far back as April and recently came to broad public attention after a researcher began investigating a malicious sample on VirusTotal,” says Claire Tills, senior research engineer at cybersecurity company Tenable.
Ms Tills says researchers recently began reproducing the issue and determined that it was a zero-click exploit, that is, no user interaction is required. Ms Tills notes that given the similarities between CVE-2022-30190 and CVE-2021-40444, researchers speculate that other protocol handlers may also be vulnerable, further developments and exploitation attempts are anticipated.
Infection involves a malicious template loading via a hypertext markup. Versions of MS Office dating from 2003 to the present are at risk. Researchers at Japanese cybersecurity consultancy Nao Sec say that hypertext markup uses the “ms-msdt” MSProtocol URI scheme to run a piece of PowerShell code. One researcher has successfully run the Follina MSDT exploit on fully patched Office 2021 software.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” says the Microsoft alert.
The vulnerability is slightly unusual in that it does not depend on the macro-based exploit path most Microsoft Office-based attacks follow. The Australian Cyber Security Centre warns that cyber-attackers are already using the Follina vulnerability to target Australian organisations.
Nao Sec also adds that they’ve uncovered a live sample of the bug that they found in a Word document template with links to an internet protocol address in Belarus. The infected code can run via MSDT even if macros are disabled.
“I have successfully integrated CVE-2022-30190 ms-msdt vulnerability to MacroPack Pro. Docx format done, including trojaning existing document. I am now looking at porting to xlsx format,” said one person on Nao Sec’s Twitter feed on Wednesday.
Claire Tills says Microsoft Office documents are a popular attack vector for cyber-attackers. Microsoft suggests disabling MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system.
Microsoft also adds customers with Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic sample submission, adding;
“These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats,” the software company says.
Claire Tills says the Follina vulnerability is a timely warning of the dangers of opening attachments and notes people need to act with caution continuously.
“Because this is a zero-click exploit, there isn’t as much individual users can do, however, a healthy dose of scepticism goes a long way. Users should always be suspicious of attachments from untrusted sources.”
